package com.lz.virtualthread.framework.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;

/**
 * spring security配置
 *
 * @author xpp
 */
@Configuration
@EnableWebSecurity
public class ElcSecurityConfig {

    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        //有动态权限配置时添加动态权限校验过滤器


        // 基于 token，不需要 csrf

        http.csrf(csrf -> csrf.disable())

                // 基于 token，不需要 session

                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))

                // 禁用basic明文验证

                .httpBasic(basic -> basic.disable())

                // 禁用默认登录页

                .formLogin(login -> login.disable())

                // 禁用默认登出页

                .logout(logout -> logout.disable())

                // 设置 处理认证失败、鉴权失败处理器
                // 设置 匿名访问url

                .authorizeHttpRequests((authorize) -> authorize

                        .requestMatchers("/monitor/**").permitAll()
                        .requestMatchers("/*/**").permitAll()
                        .anyRequest().authenticated());

        return http.build();

    }
}
